I know I can implement layer-2 port security on my 4500 switches. That is, I can arrange it so that if a user connects a foreign device to the port, the port goes into errdisable.
What I want to do is the same thing at layer-3. From time to time, users try to attach foreign network-aware devices such as PDAs to the USB port of their PCs. Sometimes these devices try (unsuccessfully) to do a DHCP, and sometimes they seem to just appear on the network as 169.254.2.2 or 126.96.36.199. But they always use the MAC address of the PC.
What I want is for the port to get shut down if the host generates a DHCP, or if the port sees packets from any address in 169.254.0.0/16. Does anyone have a way to do that?